How Do I Get Rid of This Cryptomining Virus?
Okay, so about a few days ago I noticed that exactly at the beginning of every hour, I would get a command prompt console open. Sometimes it would open for a second and then minimize into the background, but sometimes it would stay open and I would see it mining DAG or something from my GPU.
I went into Task Manager and found the app running it (called User.exe) opened its file location (AppData/Local) and deleted two files named User.exe and another named Profile.exe.
I went into Task Scheduler and deleted the schedule that Profile.exe (which is used to launch the command prompt, User.exe) launches every hour.
Should be fine and gone, right? Nope. While I was using my PC, it came back. Re-adds the schedule, and readds the app to AppData/Local.
I download procexp and find User.exe, and see that it uses a launch command (that I couldn’t see in properties or anywhere else) that connects user.exe to 2miners.com, using KAWPOW, uses asia-rvn.2miners.com specifically.
I downloaded Kaspersky, then MalwareBytes, and then used Windows Security when each one did nothing. Kaspersky was the only one that Identified it as a virus, both skipped it and said something about it being ‘impossible’.
I booted Windows in safe mode multiple times and deep scanned the PC, and nothing happened.
I used VirusTotal to search for it, it and give me a 0/48, when I used procexp for it, it gave me 18/48.
I searched through the registry for something but did not find anything.
I see a lot of online solutions basically saying, fresh install, nothing would help, but i can’t. I have TBs of information all integrated into this Windows system, all years old and I have no clue where I got them from, but most of them are for my editing software, for my music production, and for my small coding attempts, so reinstalling Windows is not an option for me.
What do I do? It’s so annoying having to shut it down every hour.Utilisateur Reddit
If you’re dealing with a persistent cryptomining virus that reappears despite your efforts to remove it, you’re facing a challenging but solvable problem. This guide provides a step-by-step approach to thoroughly remove cryptomining malware from your system and prevent its recurrence without a full Windows reinstall.
Cryptomining Virus at Virustotal
- Isolate Your System: Disconnect from the internet to prevent the malware from communicating with its command server.
- Identify Malicious Processes: Use tools like Process Explorer to continuously monitor and note down any suspicious processes that initiate at the top of the hour.
Cryptomining Virus Removal
- Use Advanced Malware Removal Tools: Since standard antivirus tools have failed, consider using Gridinsoft Anti-Malware, which is designed to target and eliminate tough malware infections. Perform a deep scan and follow the prompts to remove any detected threats.
- Manually Remove Residual Files: Go back to AppData/Local and ensure that all files related to the User.exe and Profile.exe are permanently deleted.
- Modify Hosts File: Prevent connections to known malicious sites by adding their URLs to your hosts file:
- Navigate to
C:\Windows\System32\drivers\etc\ - Edit the hosts file to redirect the domains associated with the malware to
127.0.0.1.
- Navigate to
- Secure Task Scheduler: Revisit Task Scheduler and delete any unrecognized tasks that could be used to relaunch the malware. Secure it by setting permissions to prevent unauthorized changes.
- Examine and Edit the Registry: Use the Registry Editor with extreme caution to search for and remove any entries related to the malware. Be sure to back up the registry before making changes.
- Lock Down Firewall Rules: Set strict outbound rules on your firewall to block unrecognized applications from accessing the internet.
Remove Cryptomining Virus with Gridinsoft Anti-Malware
Nous utilisons également ce logiciel sur nos systèmes depuis, et il a toujours réussi à détecter les virus. It has blocked the most common Malware as montré par nos tests avec le logiciel, and we assure you that it can remove Cryptomining Virus as well as other malware hiding on your computer.
Pour utiliser Gridinsoft pour supprimer les menaces malveillantes, suivez les étapes ci-dessous:
1. Commencez par télécharger Gridinsoft Anti-Malware, accessible via le bouton bleu ci-dessous ou directement depuis le site officiel grilleinsoft.com.
2.Une fois le fichier d'installation de Gridinsoft (setup-gridinsoft-fix.exe) est téléchargé, exécutez-le en cliquant sur le fichier. Follow the installation setup wizard's instructions diligently.
3. Accéder au "Onglet Numérisation" on the application's start screen and launch a comprehensive "Scan complet" pour examiner l'intégralité de votre ordinateur. Cette analyse inclusive englobe la mémoire, éléments de démarrage, le registre, prestations de service, Conducteurs, et tous les fichiers, s'assurer qu'il détecte les logiciels malveillants cachés dans tous les emplacements possibles.
Sois patient, as the scan duration depends on the number of files and your computer's hardware capabilities. Profitez de ce temps pour vous détendre ou vous occuper d'autres tâches.
4. Une fois terminé, Anti-Malware présentera un rapport détaillé contenant tous les éléments malveillants et menaces détectés sur votre PC.
5. Sélectionnez tous les éléments identifiés dans le rapport et cliquez en toute confiance sur le "Nettoie maintenant" bouton. Cette action supprimera en toute sécurité les fichiers malveillants de votre ordinateur, les transférer vers la zone de quarantaine sécurisée du programme anti-malware pour éviter toute autre action nuisible.
6. Si vous y êtes invité, redémarrez votre ordinateur pour finaliser la procédure d'analyse complète du système. Cette étape est cruciale pour garantir la suppression complète de toutes les menaces restantes.. Après le redémarrage, Gridinsoft Anti-Malware s'ouvrira et affichera un message confirmant le fin de l'analyse.
N'oubliez pas que Gridinsoft propose un essai gratuit de 6 jours. Cela signifie que vous pouvez profiter gratuitement de la période d'essai pour profiter de tous les avantages du logiciel et prévenir toute future infection par des logiciels malveillants sur votre système.. Embrace this opportunity to fortify your computer's security without any financial commitment.
Preventive Measures
- Regularly update your operating system and all applications to close security vulnerabilities.
- Review and limit administrative privileges on your system to essential users only.
- Continuously monitor and review installed programs and running processes for any unusual activity.
- Maintain regular backups of important data to external drives or cloud storage, separate from your main system.
While removing a persistent cryptomining virus can be complex, following these detailed steps will help you clean your system effectively and maintain its integrity. If the problem persists, consider consulting with a professional cybersecurity expert.
Laissez un commentaire